SlideShare une entreprise Scribd logo

CMS Hacking 101

Imperva
Imperva

With the rise of blogs, forums, online magazines, e-commerce, and corporate websites, many organizations are turning to Content Management Systems (CMS), such as Joomla or SharePoint, to create rich websites. CMSs simplify website delivery - but they also expose your organization to a new set of vulnerabilities.This presentation shows how malicious hackers exploit vulnerabilities found in popular Content Management Systems to systematically identify and attack unsuspecting organizations.

Technologie
1  sur  38
Télécharger pour lire hors ligne
© 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
© 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
© 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
© 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
© 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
© 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
© 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
© 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
© 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
© 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
© 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
© 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
© 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
© 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
© 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
© 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
© 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
© 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
© 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
© 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
© 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
© 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
© 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
© 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
© 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
© 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
© 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
© 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
© 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
© 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
© 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential

Recommandé

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint
Thierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
Thierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 

Recommandé

Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint IBM Security Software Solutions - Powerpoint
IBM Security Software Solutions - Powerpoint
Thierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
Thierry Matusiak
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101
PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
IBM Security
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
Leandro Bennaton
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
Camilo Fandiño Gómez
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
Patrick Bouillaud
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
Raghavendra P.V
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
MarketingArrowECS_CZ
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomware
PaladionNetworks01
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
Infosec
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Edureka!
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
Barry Shteiman
 
The most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersThe most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress Developers
iMOBDEV Technologies Pvt. Ltd.
 

Contenu connexe

Tendances

Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101
PECB
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
IBM Security
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 

Tendances (20)

Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!Compete To Win: Don’t Just Be Compliant – Be Secure!
Compete To Win: Don’t Just Be Compliant – Be Secure!
 
Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101Thinking like a criminal – Cybersecurity 101
Thinking like a criminal – Cybersecurity 101
 
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itCloud security enforcer - Quick steps to avoid the blind spots of shadow it
Cloud security enforcer - Quick steps to avoid the blind spots of shadow it
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
 
Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10Check Point Infinity powered by R80.10
Check Point Infinity powered by R80.10
 
How to beat ransomware
How to beat ransomwareHow to beat ransomware
How to beat ransomware
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 

En vedette

Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 

En vedette (7)

CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
The most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress DevelopersThe most possible risk factors faced by Wordpress Developers
The most possible risk factors faced by Wordpress Developers
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
The Loyalty Program: A Recipe for Success
The Loyalty Program: A Recipe for SuccessThe Loyalty Program: A Recipe for Success
The Loyalty Program: A Recipe for Success
 
Digital Strategy 101
Digital Strategy 101Digital Strategy 101
Digital Strategy 101
 

Similaire à CMS Hacking 101

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
Imperva
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Symantec
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
UISGCON
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Event
calebbarlow
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM Security
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM Security
 

Similaire à CMS Hacking 101 (20)

Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
DSS @CERT.LV_ISACA_2013_Conference - IBM X Force Report 2013
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
 
IBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahasIBM Security intelligence v1 - ahmed el nahas
IBM Security intelligence v1 - ahmed el nahas
 
Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
 
Security and Audit for Big Data
Security and Audit for Big DataSecurity and Audit for Big Data
Security and Audit for Big Data
 
Rochester Security Event
Rochester Security EventRochester Security Event
Rochester Security Event
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
IBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajanIBM security systems overview v1.0 - rohit nagarajan
IBM security systems overview v1.0 - rohit nagarajan
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Hacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd KindHacking Encounters of the 3rd Kind
Hacking Encounters of the 3rd Kind
 
Using m365 defender to protect against solorigate
Using m365 defender to protect against solorigateUsing m365 defender to protect against solorigate
Using m365 defender to protect against solorigate
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 

Plus de Imperva

Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 

Plus de Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

CMS Hacking 101

  • 1. © 2013 Imperva, Inc. All rights reserved. CMS Hacking 101 Analyzing the Risk with 3rd Party Applications Confidential1 Barry Shteiman Senior Security Strategist
  • 2. © 2013 Imperva, Inc. All rights reserved. Agenda Confidential2 §  CMS defined §  Risks and trends §  Recent incidents §  Into the details •  An attack campaign •  Industrialized attack campaign §  Reclaiming security
  • 3. © 2013 Imperva, Inc. All rights reserved. Today’s Speaker - Barry Shteiman Confidential3 §  Senior Security Strategist §  Security consultant working with the CTO office §  Author of several application security tools §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2013 Imperva, Inc. All rights reserved. CMS Defined Confidential4 Content Management System
  • 5. © 2013 Imperva, Inc. All rights reserved. What is a CMS? Confidential5 A content management system (CMS) is a computer program that allows publishing, editing and modifying content as well as maintenance from a central interface. Source: https://en.wikipedia.org/wiki/Content_management_system
  • 6. © 2013 Imperva, Inc. All rights reserved. Deployment Distribution Confidential6 Source: http://trends.builtwith.com/cms
  • 7. © 2013 Imperva, Inc. All rights reserved. Enterprise Adoption Confidential7
  • 8. © 2013 Imperva, Inc. All rights reserved. Risks and Trends Confidential8
  • 9. © 2013 Imperva, Inc. All rights reserved.9 OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components Confidential
  • 10. © 2013 Imperva, Inc. All rights reserved.10 3rd Party According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential
  • 11. © 2013 Imperva, Inc. All rights reserved. When a 3rd Party Brings its Friends Confidential11 §  More than 20% of the 50 most popular WordPress plugins are vulnerable to web attacks §  7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks -- Checkmarx Ltd. research lab “The Security State of WordPress’ Top 50 Plugins” white paper, June 18, 2013 You can’t fix code you don’t own, even if you host your own, that code has third party components in it.
  • 12. © 2013 Imperva, Inc. All rights reserved. Attack Surface Confidential12 Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security In a research conducted by BSI in Germany, ~20% of the vulnerabilities discovered were found in the CMS core, ~80% in plugins and extensions.
  • 13. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential13 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Single Site Attack
  • 14. © 2013 Imperva, Inc. All rights reserved. Classic Web Site Hacking Confidential14 Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit Multiple Site Attacks
  • 15. © 2013 Imperva, Inc. All rights reserved. CMS Hacking Confidential15 Hacking 1.  Identify CMS 2.  Find Vulnerability 3.  Exploit CMS Targeting Attack
  • 16. © 2013 Imperva, Inc. All rights reserved. Recent Incidents Confidential16
  • 17. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Breached via 3rd party application on Drupal.org own servers.
  • 18. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential18 3rd party service provider hacked, customer data affected.
  • 19. © 2013 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential19 Yahoo’s 3rd party hack as detailed in Imperva’s January HII report. HII Report: http://www.imperva.com/docs/HII_Lessons_Learned_From_the_Yahoo_Hack.pdf
  • 20. © 2013 Imperva, Inc. All rights reserved. CMS Related Incidents Confidential20
  • 21. © 2013 Imperva, Inc. All rights reserved. Into the Details Confidential21 How a CMS Attack Campaign Might Look
  • 22. © 2013 Imperva, Inc. All rights reserved.22 The Attacker’s Focus Server Takeover Direct Data Theft Confidential
  • 23. © 2013 Imperva, Inc. All rights reserved. CMS Mass Hacking Confidential23 Source: www.exploit-db.com Step 1: Find a vulnerability in a CMS platform Even public vulnerability databases, contain thousands of CMS related vulnerabilities.
  • 24. © 2013 Imperva, Inc. All rights reserved. CMS Gone Wild(card) Confidential24 Step 2: Identify a fingerprint in a relevant CMS-based site A fingerprint can be •  Image •  URL •  Tag •  Object Reference •  Response to a query •  etc..
  • 25. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential25 Tag based The code will usually contain fingerprints (unless obfuscated) of the CMS in use.
  • 26. © 2013 Imperva, Inc. All rights reserved. Fingerprinted Confidential26 URL based An administrator interface may be front facing, allowing detection and login attempts
  • 27. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential27 §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000
  • 28. © 2013 Imperva, Inc. All rights reserved. Google Dork for the Masses Confidential28 In our case: Database Host, User and Password Exposed
  • 29. © 2013 Imperva, Inc. All rights reserved. Botnets Targeting Your CMS Confidential29 Recently Observed: •  Botnets Scan websites for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the Botnet
  • 30. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential30 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team Google Dork
  • 31. © 2013 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential31 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 32. © 2013 Imperva, Inc. All rights reserved. Reclaiming Security Confidential32 Securing 3rd Party Applications
  • 33. © 2013 Imperva, Inc. All rights reserved. Analyzing the Attack Surface Confidential33 Graphics Source: https://www.bsi.bund.de/DE/Publikationen/Studien/CMS/Studie_CMS.html BSI is Germany's federal office for information security Certain vulnerabilities in 3rd party applications, can only be properly fixed using Web Application Firewalls.
  • 34. © 2013 Imperva, Inc. All rights reserved. Deployment Matters Confidential34 Cloud based deploymentOn premise deployment Applications and 3rd party code deployed in your virtual/physical data center. Hosted applications and B2B services. Imperva Incapsula Cloud
  • 35. © 2013 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage. §  Require third party applications to accept your security policies and put proper controls in place §  Monitor. Recommendations 35 Confidential35
  • 36. © 2013 Imperva, Inc. All rights reserved. §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Virtually patch newly discovered CVEs •  Requires a robust security update service Technical Recommendations 36 Confidential36
  • 37. © 2013 Imperva, Inc. All rights reserved. Post-Webcast Discussions Answers to Attendee Questions Webcast Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Presentation Materials Confidential3737
  • 38. © 2013 Imperva, Inc. All rights reserved. www.imperva.com 38 Confidential